A single Go binary. No daemons to babysit, no Docker, no reverse proxy config files.
Generates a local CA, installs it into your system keychain once. Every domain gets a signed cert. Green lock, always.
ECDSA P-256One command to start. devtun manages /etc/hosts, cert generation, and the LaunchAgent. Nothing to hand-edit.
Auto-start on loginRaw TCP hijacking means WS connections work without any special proxy config. Next.js, Vite, Remix — all fine.
Full duplexOne flag and your local port is live at a public URL. Password protection and TTL expiry included.
--port 3000Add and remove domains without restarting anything. The daemon swaps its route table atomically.
Zero downtimeCommit a .devtun.yaml to your repo. Every developer gets the same HTTPS setup without any manual steps.
YAMLRun the install script and then devtun start. A local CA is generated, trusted by your system, and the daemon is registered as a LaunchAgent. One sudo prompt. Done forever.
Run devtun up example 3000. A TLS cert is issued for example.test, /etc/hosts is updated, and the route is live. The daemon hot-reloads — no restart needed.
Visit https://example.test. Green padlock. No warnings. Port 443 → 8443 via a pf rule so the daemon never needs root after setup.
Run devtun share --port 3000. A tunnel connects to the relay server and you get a unique public URL like swift-river-4271.devtun.show.
devtun start
Generate CA, install trust, start daemon
devtun up <name> <port>
Add https://<name>.test → localhost:<port>
devtun down <name>
Remove a .test domain mapping
devtun list
List all active domains and their status
devtun share --port 3000
Create a public URL for a local port
devtun logs -f
Follow the proxy daemon log in real time
devtun stop
Stop the daemon
devtun doctor
Run health checks on your setup
Installs to ~/.local/bin — no sudo required.
Free forever. Open source. No account, no cloud dependency, no telemetry.